Revert "Revert "Add TSI zero-copy frame protector""

BUILD

@@ -1411,32 +1411,46 @@ grpc_cc_library(
     ],
 )
 
+grpc_cc_library(
+    name = "tsi_interface",
+    srcs = [
+        "src/core/tsi/transport_security.c",
+        "src/core/tsi/transport_security_adapter.c",
+    ],
+    hdrs = [
+        "src/core/tsi/transport_security.h",
+        "src/core/tsi/transport_security_adapter.h",
+        "src/core/tsi/transport_security_interface.h",
+    ],
+    language = "c",
+    deps = [
+        "gpr",
+        "grpc_trace",
+    ],
+)
+
 grpc_cc_library(
     name = "tsi",
     srcs = [
         "src/core/tsi/fake_transport_security.c",
         "src/core/tsi/gts_transport_security.c",
         "src/core/tsi/ssl_transport_security.c",
-        "src/core/tsi/transport_security.c",
-        "src/core/tsi/transport_security_adapter.c",
+        "src/core/tsi/transport_security_grpc.c",
     ],
     hdrs = [
         "src/core/tsi/fake_transport_security.h",
         "src/core/tsi/gts_transport_security.h",
         "src/core/tsi/ssl_transport_security.h",
         "src/core/tsi/ssl_types.h",
-        "src/core/tsi/transport_security.h",
-        "src/core/tsi/transport_security_adapter.h",
-        "src/core/tsi/transport_security_interface.h",
+        "src/core/tsi/transport_security_grpc.h",
     ],
     external_deps = [
         "libssl",
     ],
     language = "c",
     deps = [
-        "gpr",
         "grpc_base",
-        "grpc_trace",
+        "tsi_interface",
     ],
 )
 

CMakeLists.txt

@@ -1132,6 +1132,7 @@ add_library(grpc
   src/core/tsi/fake_transport_security.c
   src/core/tsi/gts_transport_security.c
   src/core/tsi/ssl_transport_security.c
+  src/core/tsi/transport_security_grpc.c
   src/core/tsi/transport_security.c
   src/core/tsi/transport_security_adapter.c
   src/core/ext/transport/chttp2/server/chttp2_server.c
@@ -1503,6 +1504,7 @@ add_library(grpc_cronet
   src/core/tsi/fake_transport_security.c
   src/core/tsi/gts_transport_security.c
   src/core/tsi/ssl_transport_security.c
+  src/core/tsi/transport_security_grpc.c
   src/core/tsi/transport_security.c
   src/core/tsi/transport_security_adapter.c
   src/core/ext/transport/chttp2/client/chttp2_connector.c

Makefile

@@ -3079,6 +3079,7 @@ LIBGRPC_SRC = \
     src/core/tsi/fake_transport_security.c \
     src/core/tsi/gts_transport_security.c \
     src/core/tsi/ssl_transport_security.c \
+    src/core/tsi/transport_security_grpc.c \
     src/core/tsi/transport_security.c \
     src/core/tsi/transport_security_adapter.c \
     src/core/ext/transport/chttp2/server/chttp2_server.c \
@@ -3448,6 +3449,7 @@ LIBGRPC_CRONET_SRC = \
     src/core/tsi/fake_transport_security.c \
     src/core/tsi/gts_transport_security.c \
     src/core/tsi/ssl_transport_security.c \
+    src/core/tsi/transport_security_grpc.c \
     src/core/tsi/transport_security.c \
     src/core/tsi/transport_security_adapter.c \
     src/core/ext/transport/chttp2/client/chttp2_connector.c \
@@ -19721,6 +19723,7 @@ src/core/tsi/gts_transport_security.c: $(OPENSSL_DEP)
 src/core/tsi/ssl_transport_security.c: $(OPENSSL_DEP)
 src/core/tsi/transport_security.c: $(OPENSSL_DEP)
 src/core/tsi/transport_security_adapter.c: $(OPENSSL_DEP)
+src/core/tsi/transport_security_grpc.c: $(OPENSSL_DEP)
 src/cpp/client/cronet_credentials.cc: $(OPENSSL_DEP)
 src/cpp/client/secure_credentials.cc: $(OPENSSL_DEP)
 src/cpp/common/auth_property_iterator.cc: $(OPENSSL_DEP)

binding.gyp

@@ -841,6 +841,7 @@
         'src/core/tsi/fake_transport_security.c',
         'src/core/tsi/gts_transport_security.c',
         'src/core/tsi/ssl_transport_security.c',
+        'src/core/tsi/transport_security_grpc.c',
         'src/core/tsi/transport_security.c',
         'src/core/tsi/transport_security_adapter.c',
         'src/core/ext/transport/chttp2/server/chttp2_server.c',

build.yaml

@@ -925,15 +925,12 @@ filegroups:
   - src/core/tsi/gts_transport_security.h
   - src/core/tsi/ssl_transport_security.h
   - src/core/tsi/ssl_types.h
-  - src/core/tsi/transport_security.h
-  - src/core/tsi/transport_security_adapter.h
-  - src/core/tsi/transport_security_interface.h
+  - src/core/tsi/transport_security_grpc.h
   src:
   - src/core/tsi/fake_transport_security.c
   - src/core/tsi/gts_transport_security.c
   - src/core/tsi/ssl_transport_security.c
-  - src/core/tsi/transport_security.c
-  - src/core/tsi/transport_security_adapter.c
+  - src/core/tsi/transport_security_grpc.c
   deps:
   - gpr
   plugin: grpc_tsi_gts
@@ -941,6 +938,20 @@ filegroups:
   uses:
   - grpc_trace
   - grpc_base
+  - tsi_interface
+- name: tsi_interface
+  headers:
+  - src/core/tsi/transport_security.h
+  - src/core/tsi/transport_security_adapter.h
+  - src/core/tsi/transport_security_interface.h
+  src:
+  - src/core/tsi/transport_security.c
+  - src/core/tsi/transport_security_adapter.c
+  deps:
+  - gpr
+  secure: true
+  uses:
+  - grpc_trace
 - name: grpc++_codegen_base
   language: c++
   public_headers:

config.m4

@@ -270,6 +270,7 @@ if test "$PHP_GRPC" != "no"; then
     src/core/tsi/fake_transport_security.c \
     src/core/tsi/gts_transport_security.c \
     src/core/tsi/ssl_transport_security.c \
+    src/core/tsi/transport_security_grpc.c \
     src/core/tsi/transport_security.c \
     src/core/tsi/transport_security_adapter.c \
     src/core/ext/transport/chttp2/server/chttp2_server.c \

config.w32

@@ -247,6 +247,7 @@ if (PHP_GRPC != "no") {
     "src\\core\\tsi\\fake_transport_security.c " +
     "src\\core\\tsi\\gts_transport_security.c " +
     "src\\core\\tsi\\ssl_transport_security.c " +
+    "src\\core\\tsi\\transport_security_grpc.c " +
     "src\\core\\tsi\\transport_security.c " +
     "src\\core\\tsi\\transport_security_adapter.c " +
     "src\\core\\ext\\transport\\chttp2\\server\\chttp2_server.c " +

gRPC-Core.podspec

@@ -290,6 +290,7 @@ Pod::Spec.new do |s|
                       'src/core/tsi/gts_transport_security.h',
                       'src/core/tsi/ssl_transport_security.h',
                       'src/core/tsi/ssl_types.h',
+                      'src/core/tsi/transport_security_grpc.h',
                       'src/core/tsi/transport_security.h',
                       'src/core/tsi/transport_security_adapter.h',
                       'src/core/tsi/transport_security_interface.h',
@@ -648,6 +649,7 @@ Pod::Spec.new do |s|
                       'src/core/tsi/fake_transport_security.c',
                       'src/core/tsi/gts_transport_security.c',
                       'src/core/tsi/ssl_transport_security.c',
+                      'src/core/tsi/transport_security_grpc.c',
                       'src/core/tsi/transport_security.c',
                       'src/core/tsi/transport_security_adapter.c',
                       'src/core/ext/transport/chttp2/server/chttp2_server.c',
@@ -782,6 +784,7 @@ Pod::Spec.new do |s|
                               'src/core/tsi/gts_transport_security.h',
                               'src/core/tsi/ssl_transport_security.h',
                               'src/core/tsi/ssl_types.h',
+                              'src/core/tsi/transport_security_grpc.h',
                               'src/core/tsi/transport_security.h',
                               'src/core/tsi/transport_security_adapter.h',
                               'src/core/tsi/transport_security_interface.h',

grpc.gemspec

@@ -222,6 +222,7 @@ Gem::Specification.new do |s|
   s.files += %w( src/core/tsi/gts_transport_security.h )
   s.files += %w( src/core/tsi/ssl_transport_security.h )
   s.files += %w( src/core/tsi/ssl_types.h )
+  s.files += %w( src/core/tsi/transport_security_grpc.h )
   s.files += %w( src/core/tsi/transport_security.h )
   s.files += %w( src/core/tsi/transport_security_adapter.h )
   s.files += %w( src/core/tsi/transport_security_interface.h )
@@ -580,6 +581,7 @@ Gem::Specification.new do |s|
   s.files += %w( src/core/tsi/fake_transport_security.c )
   s.files += %w( src/core/tsi/gts_transport_security.c )
   s.files += %w( src/core/tsi/ssl_transport_security.c )
+  s.files += %w( src/core/tsi/transport_security_grpc.c )
   s.files += %w( src/core/tsi/transport_security.c )
   s.files += %w( src/core/tsi/transport_security_adapter.c )
   s.files += %w( src/core/ext/transport/chttp2/server/chttp2_server.c )

package.xml

@@ -236,6 +236,7 @@
     <file baseinstalldir="/" name="src/core/tsi/gts_transport_security.h" role="src" />
     <file baseinstalldir="/" name="src/core/tsi/ssl_transport_security.h" role="src" />
     <file baseinstalldir="/" name="src/core/tsi/ssl_types.h" role="src" />
+    <file baseinstalldir="/" name="src/core/tsi/transport_security_grpc.h" role="src" />
     <file baseinstalldir="/" name="src/core/tsi/transport_security.h" role="src" />
     <file baseinstalldir="/" name="src/core/tsi/transport_security_adapter.h" role="src" />
     <file baseinstalldir="/" name="src/core/tsi/transport_security_interface.h" role="src" />
@@ -594,6 +595,7 @@
     <file baseinstalldir="/" name="src/core/tsi/fake_transport_security.c" role="src" />
     <file baseinstalldir="/" name="src/core/tsi/gts_transport_security.c" role="src" />
     <file baseinstalldir="/" name="src/core/tsi/ssl_transport_security.c" role="src" />
+    <file baseinstalldir="/" name="src/core/tsi/transport_security_grpc.c" role="src" />
     <file baseinstalldir="/" name="src/core/tsi/transport_security.c" role="src" />
     <file baseinstalldir="/" name="src/core/tsi/transport_security_adapter.c" role="src" />
     <file baseinstalldir="/" name="src/core/ext/transport/chttp2/server/chttp2_server.c" role="src" />

src/core/tsi/fake_transport_security.c

@@ -407,8 +407,10 @@ static void fake_handshaker_result_destroy(tsi_handshaker_result *self) {
 
 static const tsi_handshaker_result_vtable handshaker_result_vtable = {
     fake_handshaker_result_extract_peer,
+    NULL, /* create_zero_copy_grpc_protector */
     fake_handshaker_result_create_frame_protector,
-    fake_handshaker_result_get_unused_bytes, fake_handshaker_result_destroy,
+    fake_handshaker_result_get_unused_bytes,
+    fake_handshaker_result_destroy,
 };
 
 static tsi_result fake_handshaker_result_create(

src/core/tsi/transport_security.c

@@ -74,14 +74,12 @@ tsi_result tsi_frame_protector_protect(tsi_frame_protector *self,
                                        size_t *unprotected_bytes_size,
                                        unsigned char *protected_output_frames,
                                        size_t *protected_output_frames_size) {
-  if (self == NULL || unprotected_bytes == NULL ||
+  if (self == NULL || self->vtable == NULL || unprotected_bytes == NULL ||
       unprotected_bytes_size == NULL || protected_output_frames == NULL ||
       protected_output_frames_size == NULL) {
     return TSI_INVALID_ARGUMENT;
   }
-  if (self->vtable == NULL || self->vtable->protect == NULL) {
-    return TSI_UNIMPLEMENTED;
-  }
+  if (self->vtable->protect == NULL) return TSI_UNIMPLEMENTED;
   return self->vtable->protect(self, unprotected_bytes, unprotected_bytes_size,
                                protected_output_frames,
                                protected_output_frames_size);
@@ -90,13 +88,11 @@ tsi_result tsi_frame_protector_protect(tsi_frame_protector *self,
 tsi_result tsi_frame_protector_protect_flush(
     tsi_frame_protector *self, unsigned char *protected_output_frames,
     size_t *protected_output_frames_size, size_t *still_pending_size) {
-  if (self == NULL || protected_output_frames == NULL ||
+  if (self == NULL || self->vtable == NULL || protected_output_frames == NULL ||
       protected_output_frames_size == NULL || still_pending_size == NULL) {
     return TSI_INVALID_ARGUMENT;
   }
-  if (self->vtable == NULL || self->vtable->protect_flush == NULL) {
-    return TSI_UNIMPLEMENTED;
-  }
+  if (self->vtable->protect_flush == NULL) return TSI_UNIMPLEMENTED;
   return self->vtable->protect_flush(self, protected_output_frames,
                                      protected_output_frames_size,
                                      still_pending_size);
@@ -106,14 +102,12 @@ tsi_result tsi_frame_protector_unprotect(
     tsi_frame_protector *self, const unsigned char *protected_frames_bytes,
     size_t *protected_frames_bytes_size, unsigned char *unprotected_bytes,
     size_t *unprotected_bytes_size) {
-  if (self == NULL || protected_frames_bytes == NULL ||
+  if (self == NULL || self->vtable == NULL || protected_frames_bytes == NULL ||
       protected_frames_bytes_size == NULL || unprotected_bytes == NULL ||
       unprotected_bytes_size == NULL) {
     return TSI_INVALID_ARGUMENT;
   }
-  if (self->vtable == NULL || self->vtable->unprotect == NULL) {
-    return TSI_UNIMPLEMENTED;
-  }
+  if (self->vtable->unprotect == NULL) return TSI_UNIMPLEMENTED;
   return self->vtable->unprotect(self, protected_frames_bytes,
                                  protected_frames_bytes_size, unprotected_bytes,
                                  unprotected_bytes_size);
@@ -131,48 +125,44 @@ void tsi_frame_protector_destroy(tsi_frame_protector *self) {
 tsi_result tsi_handshaker_get_bytes_to_send_to_peer(tsi_handshaker *self,
                                                     unsigned char *bytes,
                                                     size_t *bytes_size) {
-  if (self == NULL || bytes == NULL || bytes_size == NULL) {
+  if (self == NULL || self->vtable == NULL || bytes == NULL ||
+      bytes_size == NULL) {
     return TSI_INVALID_ARGUMENT;
   }
   if (self->frame_protector_created) return TSI_FAILED_PRECONDITION;
-  if (self->vtable == NULL || self->vtable->get_bytes_to_send_to_peer == NULL) {
-    return TSI_UNIMPLEMENTED;
-  }
+  if (self->vtable->get_bytes_to_send_to_peer == NULL) return TSI_UNIMPLEMENTED;
   return self->vtable->get_bytes_to_send_to_peer(self, bytes, bytes_size);
 }
 
 tsi_result tsi_handshaker_process_bytes_from_peer(tsi_handshaker *self,
                                                   const unsigned char *bytes,
                                                   size_t *bytes_size) {
-  if (self == NULL || bytes == NULL || bytes_size == NULL) {
+  if (self == NULL || self->vtable == NULL || bytes == NULL ||
+      bytes_size == NULL) {
     return TSI_INVALID_ARGUMENT;
   }
   if (self->frame_protector_created) return TSI_FAILED_PRECONDITION;
-  if (self->vtable == NULL || self->vtable->process_bytes_from_peer == NULL) {
-    return TSI_UNIMPLEMENTED;
-  }
+  if (self->vtable->process_bytes_from_peer == NULL) return TSI_UNIMPLEMENTED;
   return self->vtable->process_bytes_from_peer(self, bytes, bytes_size);
 }
 
 tsi_result tsi_handshaker_get_result(tsi_handshaker *self) {
-  if (self == NULL) return TSI_INVALID_ARGUMENT;
+  if (self == NULL || self->vtable == NULL) return TSI_INVALID_ARGUMENT;
   if (self->frame_protector_created) return TSI_FAILED_PRECONDITION;
-  if (self->vtable == NULL || self->vtable->get_result == NULL) {
-    return TSI_UNIMPLEMENTED;
-  }
+  if (self->vtable->get_result == NULL) return TSI_UNIMPLEMENTED;
   return self->vtable->get_result(self);
 }
 
 tsi_result tsi_handshaker_extract_peer(tsi_handshaker *self, tsi_peer *peer) {
-  if (self == NULL || peer == NULL) return TSI_INVALID_ARGUMENT;
+  if (self == NULL || self->vtable == NULL || peer == NULL) {
+    return TSI_INVALID_ARGUMENT;
+  }
   memset(peer, 0, sizeof(tsi_peer));
   if (self->frame_protector_created) return TSI_FAILED_PRECONDITION;
   if (tsi_handshaker_get_result(self) != TSI_OK) {
     return TSI_FAILED_PRECONDITION;
   }
-  if (self->vtable == NULL || self->vtable->extract_peer == NULL) {
-    return TSI_UNIMPLEMENTED;
-  }
+  if (self->vtable->extract_peer == NULL) return TSI_UNIMPLEMENTED;
   return self->vtable->extract_peer(self, peer);
 }
 
@@ -180,14 +170,12 @@ tsi_result tsi_handshaker_create_frame_protector(
     tsi_handshaker *self, size_t *max_protected_frame_size,
     tsi_frame_protector **protector) {
   tsi_result result;
-  if (self == NULL || protector == NULL) return TSI_INVALID_ARGUMENT;
-  if (self->frame_protector_created) return TSI_FAILED_PRECONDITION;
-  if (tsi_handshaker_get_result(self) != TSI_OK) {
-    return TSI_FAILED_PRECONDITION;
-  }
-  if (self->vtable == NULL || self->vtable->create_frame_protector == NULL) {
-    return TSI_UNIMPLEMENTED;
+  if (self == NULL || self->vtable == NULL || protector == NULL) {
+    return TSI_INVALID_ARGUMENT;
   }
+  if (self->frame_protector_created) return TSI_FAILED_PRECONDITION;
+  if (tsi_handshaker_get_result(self) != TSI_OK) return TSI_FAILED_PRECONDITION;
+  if (self->vtable->create_frame_protector == NULL) return TSI_UNIMPLEMENTED;
   result = self->vtable->create_frame_protector(self, max_protected_frame_size,
                                                 protector);
   if (result == TSI_OK) {
@@ -201,11 +189,9 @@ tsi_result tsi_handshaker_next(
     size_t received_bytes_size, unsigned char **bytes_to_send,
     size_t *bytes_to_send_size, tsi_handshaker_result **handshaker_result,
     tsi_handshaker_on_next_done_cb cb, void *user_data) {
-  if (self == NULL) return TSI_INVALID_ARGUMENT;
+  if (self == NULL || self->vtable == NULL) return TSI_INVALID_ARGUMENT;
   if (self->handshaker_result_created) return TSI_FAILED_PRECONDITION;
-  if (self->vtable == NULL || self->vtable->next == NULL) {
-    return TSI_UNIMPLEMENTED;
-  }
+  if (self->vtable->next == NULL) return TSI_UNIMPLEMENTED;
   return self->vtable->next(self, received_bytes, received_bytes_size,
                             bytes_to_send, bytes_to_send_size,
                             handshaker_result, cb, user_data);
@@ -220,21 +206,21 @@ void tsi_handshaker_destroy(tsi_handshaker *self) {
 
 tsi_result tsi_handshaker_result_extract_peer(const tsi_handshaker_result *self,
                                               tsi_peer *peer) {
-  if (self == NULL || peer == NULL) return TSI_INVALID_ARGUMENT;
-  memset(peer, 0, sizeof(tsi_peer));
-  if (self->vtable == NULL || self->vtable->extract_peer == NULL) {
-    return TSI_UNIMPLEMENTED;
+  if (self == NULL || self->vtable == NULL || peer == NULL) {
+    return TSI_INVALID_ARGUMENT;
   }
+  memset(peer, 0, sizeof(tsi_peer));
+  if (self->vtable->extract_peer == NULL) return TSI_UNIMPLEMENTED;
   return self->vtable->extract_peer(self, peer);
 }
 
 tsi_result tsi_handshaker_result_create_frame_protector(
     const tsi_handshaker_result *self, size_t *max_protected_frame_size,
     tsi_frame_protector **protector) {
-  if (self == NULL || protector == NULL) return TSI_INVALID_ARGUMENT;
-  if (self->vtable == NULL || self->vtable->create_frame_protector == NULL) {
-    return TSI_UNIMPLEMENTED;
+  if (self == NULL || self->vtable == NULL || protector == NULL) {
+    return TSI_INVALID_ARGUMENT;
   }
+  if (self->vtable->create_frame_protector == NULL) return TSI_UNIMPLEMENTED;
   return self->vtable->create_frame_protector(self, max_protected_frame_size,
                                               protector);
 }
@@ -242,12 +228,11 @@ tsi_result tsi_handshaker_result_create_frame_protector(
 tsi_result tsi_handshaker_result_get_unused_bytes(
     const tsi_handshaker_result *self, const unsigned char **bytes,
     size_t *bytes_size) {
-  if (self == NULL || bytes == NULL || bytes_size == NULL) {
+  if (self == NULL || self->vtable == NULL || bytes == NULL ||
+      bytes_size == NULL) {
     return TSI_INVALID_ARGUMENT;
   }
-  if (self->vtable == NULL || self->vtable->get_unused_bytes == NULL) {
-    return TSI_UNIMPLEMENTED;
-  }
+  if (self->vtable->get_unused_bytes == NULL) return TSI_UNIMPLEMENTED;
   return self->vtable->get_unused_bytes(self, bytes, bytes_size);
 }
 

src/core/tsi/transport_security.h

@@ -86,6 +86,10 @@ struct tsi_handshaker {
    See transport_security_interface.h for documentation. */
 typedef struct {
   tsi_result (*extract_peer)(const tsi_handshaker_result *self, tsi_peer *peer);
+  tsi_result (*create_zero_copy_grpc_protector)(
+      const tsi_handshaker_result *self,
+      size_t *max_output_protected_frame_size,
+      tsi_zero_copy_grpc_protector **protector);
   tsi_result (*create_frame_protector)(const tsi_handshaker_result *self,
                                        size_t *max_output_protected_frame_size,
                                        tsi_frame_protector **protector);

src/core/tsi/transport_security_adapter.c

@@ -66,8 +66,11 @@ static void adapter_result_destroy(tsi_handshaker_result *self) {
 }
 
 static const tsi_handshaker_result_vtable result_vtable = {
-    adapter_result_extract_peer, adapter_result_create_frame_protector,
-    adapter_result_get_unused_bytes, adapter_result_destroy,
+    adapter_result_extract_peer,
+    NULL, /* create_zero_copy_grpc_protector */
+    adapter_result_create_frame_protector,
+    adapter_result_get_unused_bytes,
+    adapter_result_destroy,
 };
 
 /* Ownership of wrapped tsi_handshaker is transferred to the result object.  */

src/core/tsi/transport_security_grpc.c

@@ -0,0 +1,64 @@
+/*
+ *
+ * Copyright 2017 gRPC authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+#include "src/core/tsi/transport_security_grpc.h"
+
+/* This method creates a tsi_zero_copy_grpc_protector object.  */
+tsi_result tsi_handshaker_result_create_zero_copy_grpc_protector(
+    const tsi_handshaker_result *self, size_t *max_protected_frame_size,
+    tsi_zero_copy_grpc_protector **protector) {
+  if (self == NULL || self->vtable == NULL || protector == NULL) {
+    return TSI_INVALID_ARGUMENT;
+  }
+  if (self->vtable->create_zero_copy_grpc_protector == NULL) {
+    return TSI_UNIMPLEMENTED;
+  }
+  return self->vtable->create_zero_copy_grpc_protector(
+      self, max_protected_frame_size, protector);
+}
+
+/* --- tsi_zero_copy_grpc_protector common implementation. ---
+
+   Calls specific implementation after state/input validation. */
+
+tsi_result tsi_zero_copy_grpc_protector_protect(
+    tsi_zero_copy_grpc_protector *self, grpc_slice_buffer *unprotected_slices,
+    grpc_slice_buffer *protected_slices) {
+  if (self == NULL || self->vtable == NULL || unprotected_slices == NULL ||
+      protected_slices == NULL) {
+    return TSI_INVALID_ARGUMENT;
+  }
+  if (self->vtable->protect == NULL) return TSI_UNIMPLEMENTED;
+  return self->vtable->protect(self, unprotected_slices, protected_slices);
+}
+
+tsi_result tsi_zero_copy_grpc_protector_unprotect(
+    tsi_zero_copy_grpc_protector *self, grpc_slice_buffer *protected_slices,
+    grpc_slice_buffer *unprotected_slices) {
+  if (self == NULL || self->vtable == NULL || protected_slices == NULL ||
+      unprotected_slices == NULL) {
+    return TSI_INVALID_ARGUMENT;
+  }
+  if (self->vtable->unprotect == NULL) return TSI_UNIMPLEMENTED;
+  return self->vtable->unprotect(self, protected_slices, unprotected_slices);
+}
+
+void tsi_zero_copy_grpc_protector_destroy(tsi_zero_copy_grpc_protector *self) {
+  if (self == NULL) return;
+  self->vtable->destroy(self);
+}

src/core/tsi/transport_security_grpc.h

@@ -0,0 +1,80 @@
+/*
+ *
+ * Copyright 2017 gRPC authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+#ifndef GRPC_CORE_TSI_TRANSPORT_SECURITY_GRPC_H
+#define GRPC_CORE_TSI_TRANSPORT_SECURITY_GRPC_H
+
+#include <grpc/slice_buffer.h>
+#include "src/core/tsi/transport_security.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* This method creates a tsi_zero_copy_grpc_protector object. It return TSI_OK
+   assuming there is no fatal error.
+   The caller is responsible for destroying the protector.  */
+tsi_result tsi_handshaker_result_create_zero_copy_grpc_protector(
+    const tsi_handshaker_result *self, size_t *max_output_protected_frame_size,
+    tsi_zero_copy_grpc_protector **protector);
+
+/* -- tsi_zero_copy_grpc_protector object --  */
+
+/* Outputs protected frames.
+   - unprotected_slices is the unprotected data to be protected.
+   - protected_slices is the protected output frames. One or more frames
+     may be produced in this protect function.
+   - This method returns TSI_OK in case of success or a specific error code in
+     case of failure.  */
+tsi_result tsi_zero_copy_grpc_protector_protect(
+    tsi_zero_copy_grpc_protector *self, grpc_slice_buffer *unprotected_slices,
+    grpc_slice_buffer *protected_slices);
+
+/* Outputs unprotected bytes.
+   - protected_slices is the bytes of protected frames.
+   - unprotected_slices is the unprotected output data.
+   - This method returns TSI_OK in case of success. Success includes cases where
+     there is not enough data to output in which case unprotected_slices has 0
+     bytes.  */
+tsi_result tsi_zero_copy_grpc_protector_unprotect(
+    tsi_zero_copy_grpc_protector *self, grpc_slice_buffer *protected_slices,
+    grpc_slice_buffer *unprotected_slices);
+
+/* Destroys the tsi_zero_copy_grpc_protector object.  */
+void tsi_zero_copy_grpc_protector_destroy(tsi_zero_copy_grpc_protector *self);
+
+/* Base for tsi_zero_copy_grpc_protector implementations.  */
+typedef struct {
+  tsi_result (*protect)(tsi_zero_copy_grpc_protector *self,
+                        grpc_slice_buffer *unprotected_slices,
+                        grpc_slice_buffer *protected_slices);
+  tsi_result (*unprotect)(tsi_zero_copy_grpc_protector *self,
+                          grpc_slice_buffer *protected_slices,
+                          grpc_slice_buffer *unprotected_slices);
+  void (*destroy)(tsi_zero_copy_grpc_protector *self);
+} tsi_zero_copy_grpc_protector_vtable;
+
+struct tsi_zero_copy_grpc_protector {
+  const tsi_zero_copy_grpc_protector_vtable *vtable;
+};
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* GRPC_CORE_TSI_TRANSPORT_SECURITY_GRPC_H */

src/core/tsi/transport_security_interface.h

@@ -62,6 +62,15 @@ const char *tsi_result_to_string(tsi_result result);
 
 extern grpc_tracer_flag tsi_tracing_enabled;
 
+/* -- tsi_zero_copy_grpc_protector object --
+
+  This object protects and unprotects grpc slice buffers with zero or minimized
+  memory copy once the handshake is done. Implementations of this object must be
+  thread compatible. This object depends on grpc and the details of this object
+  is defined in transport_security_grpc.h.  */
+
+typedef struct tsi_zero_copy_grpc_protector tsi_zero_copy_grpc_protector;
+
 /* --- tsi_frame_protector object ---
 
   This object protects and unprotects buffers once the handshake is done.

src/python/grpcio/grpc_core_dependencies.py

@@ -246,6 +246,7 @@ CORE_SOURCE_FILES = [
   'src/core/tsi/fake_transport_security.c',
   'src/core/tsi/gts_transport_security.c',
   'src/core/tsi/ssl_transport_security.c',
+  'src/core/tsi/transport_security_grpc.c',
   'src/core/tsi/transport_security.c',
   'src/core/tsi/transport_security_adapter.c',
   'src/core/ext/transport/chttp2/server/chttp2_server.c',

tools/doxygen/Doxyfile.core.internal

@@ -1421,6 +1421,8 @@ src/core/tsi/transport_security.c \
 src/core/tsi/transport_security.h \
 src/core/tsi/transport_security_adapter.c \
 src/core/tsi/transport_security_adapter.h \
+src/core/tsi/transport_security_grpc.c \
+src/core/tsi/transport_security_grpc.h \
 src/core/tsi/transport_security_interface.h \
 third_party/nanopb/pb_common.c \
 third_party/nanopb/pb_decode.c \

tools/run_tests/generated/sources_and_headers.json

@@ -9095,16 +9095,15 @@
     "deps": [
       "gpr", 
       "grpc_base", 
-      "grpc_trace"
+      "grpc_trace", 
+      "tsi_interface"
     ], 
     "headers": [
       "src/core/tsi/fake_transport_security.h", 
       "src/core/tsi/gts_transport_security.h", 
       "src/core/tsi/ssl_transport_security.h", 
       "src/core/tsi/ssl_types.h", 
-      "src/core/tsi/transport_security.h", 
-      "src/core/tsi/transport_security_adapter.h", 
-      "src/core/tsi/transport_security_interface.h"
+      "src/core/tsi/transport_security_grpc.h"
     ], 
     "is_filegroup": true, 
     "language": "c", 
@@ -9117,6 +9116,26 @@
       "src/core/tsi/ssl_transport_security.c", 
       "src/core/tsi/ssl_transport_security.h", 
       "src/core/tsi/ssl_types.h", 
+      "src/core/tsi/transport_security_grpc.c", 
+      "src/core/tsi/transport_security_grpc.h"
+    ], 
+    "third_party": false, 
+    "type": "filegroup"
+  }, 
+  {
+    "deps": [
+      "gpr", 
+      "grpc_trace"
+    ], 
+    "headers": [
+      "src/core/tsi/transport_security.h", 
+      "src/core/tsi/transport_security_adapter.h", 
+      "src/core/tsi/transport_security_interface.h"
+    ], 
+    "is_filegroup": true, 
+    "language": "c", 
+    "name": "tsi_interface", 
+    "src": [
       "src/core/tsi/transport_security.c", 
       "src/core/tsi/transport_security.h", 
       "src/core/tsi/transport_security_adapter.c", 

vsprojects/vcxproj/grpc/grpc.vcxproj

@@ -347,6 +347,7 @@
     <ClInclude Include="$(SolutionDir)\..\src\core\tsi\gts_transport_security.h" />
     <ClInclude Include="$(SolutionDir)\..\src\core\tsi\ssl_transport_security.h" />
     <ClInclude Include="$(SolutionDir)\..\src\core\tsi\ssl_types.h" />
+    <ClInclude Include="$(SolutionDir)\..\src\core\tsi\transport_security_grpc.h" />
     <ClInclude Include="$(SolutionDir)\..\src\core\tsi\transport_security.h" />
     <ClInclude Include="$(SolutionDir)\..\src\core\tsi\transport_security_adapter.h" />
     <ClInclude Include="$(SolutionDir)\..\src\core\tsi\transport_security_interface.h" />
@@ -892,6 +893,8 @@
     </ClCompile>
     <ClCompile Include="$(SolutionDir)\..\src\core\tsi\ssl_transport_security.c">
     </ClCompile>
+    <ClCompile Include="$(SolutionDir)\..\src\core\tsi\transport_security_grpc.c">
+    </ClCompile>
     <ClCompile Include="$(SolutionDir)\..\src\core\tsi\transport_security.c">
     </ClCompile>
     <ClCompile Include="$(SolutionDir)\..\src\core\tsi\transport_security_adapter.c">

vsprojects/vcxproj/grpc/grpc.vcxproj.filters

@@ -556,6 +556,9 @@
     <ClCompile Include="$(SolutionDir)\..\src\core\tsi\ssl_transport_security.c">
       <Filter>src\core\tsi</Filter>
     </ClCompile>
+    <ClCompile Include="$(SolutionDir)\..\src\core\tsi\transport_security_grpc.c">
+      <Filter>src\core\tsi</Filter>
+    </ClCompile>
     <ClCompile Include="$(SolutionDir)\..\src\core\tsi\transport_security.c">
       <Filter>src\core\tsi</Filter>
     </ClCompile>
@@ -1010,6 +1013,9 @@
     <ClInclude Include="$(SolutionDir)\..\src\core\tsi\ssl_types.h">
       <Filter>src\core\tsi</Filter>
     </ClInclude>
+    <ClInclude Include="$(SolutionDir)\..\src\core\tsi\transport_security_grpc.h">
+      <Filter>src\core\tsi</Filter>
+    </ClInclude>
     <ClInclude Include="$(SolutionDir)\..\src\core\tsi\transport_security.h">
       <Filter>src\core\tsi</Filter>
     </ClInclude>